As you are probably well aware, this past weekend provided a sizable scare for corporations and IT departments around the world. “WannaCry” exploited a known vulnerability in Microsoft Operating Systems (OS) and has been widely reported to have impacted more than 200,000 computers in 150+ countries. Hospitals, banks, two European automotive facilities, and a rail system were amongst those reported to have been impacted. Given how many Microsoft OS systems are out there in our plants, you may be wondering if you should be concerned and what, if any, action you can take. The answer is yes, we should always be concerned about security and it is a wise idea to educate yourself. To assist, Rockwell has provided some guidance in a public Knowledgebase Article #1047348

Below is an expert from Version 1.0 of this article published on Monday, May 15. We encourage all of our customers to take a read, think through potential actions for your facility, and to call us if you’d like to discuss various security strategies in more detail.

Please note – at the bottom is a link to the full knowledgebase, we also suggest subscribing for “updates” to this article in the event that RA modifies it in the near future.

Knowledgebase Article #1047348

Version 1.0 – May 15, 2017

On May 10, 2017, a new ransomware attack called “WannaCry” (also known as “WannaCrypt”), began affecting Microsoft Windows personal computers (PCs) around the world. The ransomware is a self-propagating “worm” that infects any vulnerable host that has not patched the SMBv1 Windows vulnerability. This vulnerability was patched in March 2017 by Microsoft and has been named “MS17-010“, which is included in the monthly Microsoft roll-ups: “MS17-006“.

Unlike previous ransomware variants that require social engineering (“phishing”), WannaCry takes advantage of a publicly known vulnerability in Microsoft Windows, which allows it to spread quickly throughout a network and infect additional hosts with no user interaction.

As of this writing, there is no known direct impact to Rockwell Automation products from this ransomware. However, customers who use Rockwell Automation software products may be vulnerable to this attack since this software runs on Microsoft Windows platforms containing the underlying vulnerability which enables this attack.

Ransomware is a class of malware that aims to extort money from the victim by restricting access to resources on the computer, and then demands a monetary payment to remove the restrictions. The most common type is ransomware that will encrypt important files on an infected computer, rendering the files unusable without paying a ransom. Other types may restrict access to operating system functions or specific applications.

Rockwell Automation decided to provide this advisory since customers running Rockwell Automation software on Microsoft Windows are likely vulnerable to this attack. Information and links to Microsoft-provided resources are provided below, as well as our qualification report for MS17-010. We are continuing to monitor this situation, and we will update this advisory as we learn more.

This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow remote code execution if an attacker sends specially crafted messages to a Microsoft Server Message Block 1.0 (SMBv1) server.

RISK MITIGATIONS and RECOMMENDED USER ACTIONS

Rockwell Automation strongly recommends that customers review the Microsoft MS17-010 Security Bulletin, evaluate the risks, and implement a mitigation plan. Microsoft has provided patches for ALL affected operating systems, including XP and 2003. Rockwell Automation suggests that before implementing any Microsoft updates, the updates should be verified on a non-production system, or when the facility is non-active, to ensure that there are no unexpected results or side effects.

The Rockwell Automation MS Patch Qualification team has not qualified versions of our products with MS17-010 installed on Microsoft operating systems that are End-of-Life. We consider this patch to be a relatively ‘low risk’ in impacting Rockwell Automation products and should be applied at your discretion.

In addition, Cisco Talos has released IPS/IDS Snort rules to detect and defend against WannaCry. See their blogpost for additional information.

Lastly, we recommend customers continue to monitor the situation by monitoring this advisory, subscribing to Knowledgebase Article 35530 for updates to Microsoft Patch Qualifications Reports, and by monitoring MS17-010. Be aware that the attack strategies can change as defenses are built up, and further action may be required.

Use trusted software and software patches that are obtained only from highly reputable sources.

Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.

Locate control system networks and devices behind firewalls, and isolate them from the business network, helping to make sure that messages with mismatched IP and interface origination do not reach the target system.

Help minimize network exposure for all control system devices and/or systems, and confirm that they are not accessible from the Internet.

When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that a VPN is only as secure as the connected devices.

This knowledge base web site is intended to provide general technical information on a particular subject or subjects and is not an exhaustive treatment of such subjects. Accordingly, the information in this web site is not intended to constitute application, design, software or other professional engineering advice or services. Before making any decision or taking any action, which might affect your equipment, you should consult a qualified professional advisor.

ROCKWELL AUTOMATION DOES NOT WARRANT THE COMPLETENESS, TIMELINESS OR ACCURACY OF ANY OF THE DATA CONTAINED IN THIS WEB SITE AND MAY MAKE CHANGES THERETO AT ANY TIME IN ITS SOLE DISCRETION WITHOUT NOTICE. FURTHER, ALL INFORMATION CONVEYED HEREBY IS PROVIDED TO USERS “AS IS.” IN NO EVENT SHALL ROCKWELL BE LIABLE FOR ANY DAMAGES OF ANY KIND INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS PROFIT OR DAMAGE, EVEN IF ROCKWELL AUTOMATION HAVE BEEN ADVISED ON THE POSSIBILITY OF SUCH DAMAGES.

ROCKWELL AUTOMATION DISCLAIMS ALL WARRANTIES WHETHER EXPRESSED OR IMPLIED IN RESPECT OF THE INFORMATION (INCLUDING SOFTWARE) PROVIDED HEREBY, INCLUDING THE IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, AND NON-INFRINGEMENT. Note that certain jurisdictions do not countenance the exclusion of implied warranties; thus, this disclaimer may not apply to you.

Julia Santogatta is the Director of Networking, Automation, & Information Solutions at Rumsey. She has spent 15+ years working with customers in industrial manufacturing, system integration and machine building. Prior to joining Rumsey she spent 10 years with Rockwell Automation and five years with the Belden cable and networking brands – Belden, Hirschmann, Tofino and GarrettCom.